Re: Part of the web page being MODIFIED !

• Previous message: Devdas Bhagat: "Re: Survey: Chat and IM"
• In reply to: Frank Cheong: "Part of the web page being MODIFIED !"
• Next in thread: Chris Santerre: "RE: Part of the web page being MODIFIED !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 26 Nov 2002 11:23:51 -0700
From: Bryan Wagstaff <bryanw@xmission.com>
To: Frank Cheong <chocobofrank@hotmail.com>

Quoting Frank Cheong <chocobofrank@hotmail.com>:

> I received complains regarding one of the image on my web site has been
> modified by a PORN picture ! While the image have resumed normal during
> the second visit.

You say you have had complaints, but don't state if you have seen it or
not. Can YOU repeat the problem?

> Therefore, the image haven't been modified. So I do want to know what is
> the possibilities in doing this ?
> (Like HTTP session hijack, proxy poisoning, someone doing man in the
> middle etc) any other ways to do that ?

There are many ways of that sort of thing happening, but you need to do
more research to find it.

If this is something you can verify and repeat, I would first check your
local machine.

Has the machine been compromized? If no, are you sure?

If using unmodified versions of the http server, do the checksums match
those of the source? (assuming you are using Apache or some other Free/Open
server) When posting back to the group, please include the versions of the
software you are using.

Does the problem appear on another similarly configured machine?

> As these activities mostly happens outside my server boundry, I assume I
> can't do anything with it, how about any outside parties ?

You say 'mostly happens outside my server boundary'. Please be more
specific.

Do those outside your network ALWAYS see the corrupted pages then the
proper image? Does everyone inside your network see the corrupted pages?
If only some machines inside your 'server boundary' see the corrupted
pages, are those machines within a NAT device? For example, are machines
within a 192.168.1.* seeing the corrupted pages while 192.168.0.* are
seeing the original?

> As I know going for SSL maybe one of the alternative to stop this but
> this will add on extra processing on my website and it will make it slow.
> So I don't want to go for it, any other way to secure against this ?

You need to know where the problem is beore you can fix it. Right now I
would say you have some script kiddie playing with the site, but I wouldn't
remove other posibilities without more research.

If you have a corrupted web server, moving to SSL would not solve the
problem, it would actually make it appear that you are intentionally
sending the images.

For the man-in-the-middle attack, you could test that out by changes to
your network or Internet connections. If you are a small business, your
ISP would probably help.

If someone were performing a targeted man-in-the-middle attack, you need to
have a trusted root CA give you a cert. (If you have a self-signed or
unsigned cert, then they could easily forge one.) If you don't already
have one, those can take a little work and money to get.

Best of luck!

bryanw@xmission.com

--

• Next message: Pierre BETOUIN: "Re: Basic rules for IPTABLES protection"
• Previous message: Devdas Bhagat: "Re: Survey: Chat and IM"
• In reply to: Frank Cheong: "Part of the web page being MODIFIED !"
• Next in thread: Chris Santerre: "RE: Part of the web page being MODIFIED !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]